Monthly Archives: October 2014

Retailer says that credit and debit card numbers compromised.

On the same day that Dairy Queen announced their own malware-based data breach, Kmart (owned by Sears Holdings Corp.) reported the discovery that credit and debit cards were compromised after criminals installed malware on their payment systems.

According to the company, IT staff discovered the malware on Thursday (October 9). Additional investigation into the matter revealed that their systems were infected in early September.

The data compromised by the POS malware is commonly referred to as Track 2 data, which would enable a criminal to clone the customer’s card. However, other personal information was not exposed.

“Based on the forensic investigation to date, no personal information, no debit card PIN numbers [sic], no email addresses and no social security numbers were obtained by those criminally responsible,” Kmart said in a statement.

The incident only affects in-store shoppers only, as Kmart.com was not part of the breached systems. In response, Kmart says they’re offering customers credit monitoring (888-488-5978).

Kmart didn’t name the malware detected, but given the pattern in recent months, it’s likely that they, like Dairy Queen, were compromised by a variant of Backoff – a family of malware that targets POS systems.

In July, the US Secret Service warned retailers about Backoff, advising them that criminals were targeting poorly protected instances of RDP, including services from Microsoft, Apple, Chrome, Splashtop 2, Pulseway, LogMeIn, and Join.Me.

At the time of the initial warning, criminals had targeted some 600 businesses with Backoff.

On Thursday, Dairy Queen said that Backoff was responsible for POS compromises at nearly 400 stores. Kmart said that their investigation is ongoing, and that they are working with federal authorities.

Via: csoonline

Dairy Queen announced a data breach that affects some of its customers’ sensitive credit card information. The breach happened at certain Dairy Queen/Orange Julius locations across the country, including a dozen stores in Colorado.

“Because nearly all DQ and Orange Julius locations are independently owned and operated, we worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue,” a statement says.

“As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country.”

Customers’ names, payment card numbers and expiration dates were compromised.  “We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection,” the statement says. The company also says the problem has been contained.

The table below from the company shows the locations and time frames of Colorado stores that are involved. Many are in metro Denver but there are locations involved statewide.

Dairy Queen is offering free identity repair services for one year to customers who used a card at one of the impacted locations.

Here is a full list of impacted stores.

Via: kdvr

Google officially released the Chrome 38 browser on Oct. 9, providing users with few new features. The main focus of Chrome 38 is stability and security fixes—lots of security fixes.

In total, Google is patching 159 security vulnerabilities in Chrome 38, which is one of the highest numbers of security-related fixes for any single browser ever released. Going a step further, Google noted that it also made “113 relatively minor fixes” that it found with its open-source Memory Sanitizer application. Other browser vendors likely might have also counted the 113 memory fixes in their security totals, so for argument’s sake, let’s say that Chrome 38 fixes 272 security related issues.

That’s a whole lot of issues. To be fair, there is no evidence and no reports that any of those 272 issues have ever been exploited by anyone.

As part of the security updates, Google is paying out $75,633.70 in bug bounties to a number of security researchers for properly reporting issues to Google. The top award is a $27,633.70 award paid to Jüri Aedla for a vulnerability identified as CVE-2014-3188. That vulnerability could lead to remote code execution and is triggered by a number of bugs in the Google V8 JavaScript engine and the Inter-Process Communication (IPC) function.

Aedla is also being awarded an additional $4,500 reward for CVE-2014-3195, which is an information leakage issue in V8.

A security researcher identified only as “cloudfuzzer” is another big winner in the Chrome 38 money pile. Google credits cloudfuzzer with reporting CVE-2014-3189, CVE-2014-3190, CVE-2014-3191 and CVE-2014-3192, which are memory-related flaws including use-after-free memory errors. For his efforts, Google is paying cloudfuzzer the tidy sum of $11,000.

Google develops Chrome in a series of release branches that culminate in a final stable release. During the development process, multiple bugs were found, which Google is also recognizing with awards.

“We would also like to thank Atte Kettunen of OUSPG and Collin Payne for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Google Chrome developer Matthew Yuan wrote in a blog post. “$23,000 in additional rewards were issued.”

The Chrome 38 release is also noteworthy in that it is the first since Google announced an increase in its bug payout schedule last week. Under the new reward schedule, the top listed payout is $15,000 for a Sandbox escape, complete with a high-quality report and a functional exploit. It’s interesting to note that Aedla was paid nearly double that for CVE-2014-3188.

Overall, Google has paid out over $1.25 million in bug bounties since it first began to reward researchers for reporting flaws in Chrome back in 2010.

Via: eweek

It’s a case of good news/bad news with the BadUSB firmware exploit.

BadUSB is a serious threat now out in the wild

There’s now posted on GitHub the source code for BadUSB (not to be confused with faux malware program called BadBIOS), which makes my experiment nine years ago look like a child’s game. BadUSB is a real threat that has serious consequences for computer hardware input devices.

BadUSB writes — or overwrites — a USB device’s firmware code to carry out malicious actions. First announced in July 2014, BadUSB was discovered by a pair of computer researchers at Security Research Labs in Berlin, who then demoed their discovery at the Black Hat Conference.

The attack is feared because all the traditional methods of checking for malice on a USB storage device do not work. The malicious code is planted in the USB’s firmware, which is executed when the device is plugged into a host. The host can’t detect the firmware code, but the firmware’s code can interact with and modify software on the host computer.

The malicious firmware code could plant other malware, steal information, divert Internet traffic, and more — all while bypassing antivirus scans. The attack was considered so viable and dangerous that the researchers only demoed the exploit. In an abundance of caution, they didn’t release the proof-of-concept code or infected devices. But two other researchers reverse-engineered the exploit, created demonstration code, and released it to the world on GitHub.

Cue the drama that has already appeared on news and consumer tech sites like CNN, the Atlanta Journal-Constitution, the Register, and PC Magazine, exclaiming, “The world is going to be full of malicious USB devices!”

Why the BadUSB exploit goes way beyond USB

First, it’s important to recognize that the threat is real. USB firmware can be modified to do what the research scientists claim. Hackers all around the world are probably downloading the proof-of-concept code, making malicious USB devices, and using the proof-of-concept code as a launching point for acts far more malicious than the researchers’ test exploit.

Second, the problem isn’t limited to USB devices. In fact, USB devices are the tip of the iceberg. Any hardware device plugged into your computer with a firmware component can probably be made malicious. I’m talking FireWire devices, SCSI devices, hard drives, DMA devices, and more.

For these devices to work, their firmware has to be inserted into the host device’s memory where it is then executed — so malware can easily go along for that ride. There may be firmware devices that can’t be exploited, but I don’t know a reason why not.

Firmware is inherently nothing more than software instructions stored on silicon. At its basic level, it’s nothing but software programming. And firmware is necessary to enable the hardware device to talk to the host computer device. The device’s API specification tells the device’s programmers how to write code that makes the device work properly, but these specifications and instructions are never assembled with security in mind. Nope, they were written to get items to talk to each other (much like the Internet).

It doesn’t take many programming instructions to enable malicious activity. You can format most storage devices or “brick” a computer with a handful of directions. The smallest computer virus ever written was a mere 35 bytes in size. The payload in the GitHub proof-of-concept example is only 14K, and it includes lots of error checking and finesse coding. Believe me, 14K is tiny in today’s world of malware. It’s easy to embed and hide malware in any almost firmware controller.

In fact, there’s a very good chance that hackers and nations have long known about and used these firmware backdoors. NSA watchers have speculated at length about such devices, and these suspicions were confirmed by recently released NSA documents.

The scary truth is that hackers have been hacking firmware devices and forcing them into unauthorized actions for as long as firmware has been around.

BadUSB is the biggest threat you can be take off your panic list

The reality is you should have been at least nervous about any firmware device plugged into your computer — USB or otherwise — for a long time. I’ve been that way for nearly a decade.

Your only defense is that you plug in firmware devices from vendors you trust and keep them under your control. But how do you know the devices you’ve been plugging in haven’t been compromised en masse or haven’t been tampered with between the vendor and your computers? The leaks from Edward Snowden suggest the NSA has intercepted computers in transit to install listening devices. Surely other spies and hackers have tried the same tactics to infect components along the supply chain.

Still, you can relax.

Malicious hardware is possible, and it may be used in some limited scenarios. But it’s unlikely to be widespread. Hardware hacking isn’t easy. It’s resource-intensive. Different instruction sets are used for different chip sets. Then there’s the pesky problem of getting the intended victims to accept the malicious devices and insert it into their computers. For very high-value targets, such “Mission Impossible”-style attacks are plausible, but not so much for the average Joe.

Today’s hackers (including the spy agencies in the United States, the United Kingdom, Israel, China, Russia, France, Germany, and so on) enjoy far more success using traditional software infection methods. For example, as a hacker, you can build and use a supersophisticated and supersneaky Blue Pill hypervisor attack tool or go with a common everyday software Trojan program that has worked well for decades to hack a much larger number of people.

But suppose malicious firmware or USB devices started to appear broadly? You can bet that vendors would respond and solve the problem. BadUSB has no defense today, but it could be easily defended against in the future. After all, it’s simply software (stored in firmware), and software can defeat it. The USB standards bodies would probably update the specification to prevent such attacks, microcontroller vendors would make malice less likely to occur from firmware, and operating system vendors would probably respond even sooner.

For example, some operating system vendors now prevent DMA devices from accessing memory before a computer fully boots or before a user logs ins, solely to prevent discovered attacks coming from plugged-in DMA devices. Windows 8.1, OS X (via Open Firmware passwords), and Linux have defenses against DMA attacks, though they typically require users to enable those defenses. The same sorts of defenses will be implemented if BadUSB becomes widespread.

Don’t fear BadUSB, even if a hacker friend decides to play a trick on you using his maliciously encoded USB thumb drive. Do like me — don’t use USB devices that haven’t been under your control at all times.

Remember: If you’re worried about being hacked, be far more worried about what runs in your browser than what runs from your firmware.

Via: infoworld

The FTC, FCC and state attorneys general accuse the company of making millions of dollars from unwanted third-party charges.

AT&T will pay US$105 million to settle complaints from the U.S. Federal Communications Commission, the Federal Trade Commission and 51 state-level governments that it made millions of dollars through unauthorized third-party charges on customers’ mobile-phone bills.

The settlement, announced Wednesday by the two agencies and 51 state attorneys general, includes $80 million for consumer refunds and $25 million in penalties, the agencies said. AT&T knew of potential problems with premium text-messaging services for years and sought in 2011 to reassure third-party billers by saying it would limit refunds to two months, FTC Chairwoman Edith Ramirez said during a press conference.

“This should have, and in fact did, ring alarm bells at AT&T,” she said. “Instead of acting to stop the practice, AT&T continued to make hundreds of millions of dollars from the practice.”

The $9.99-per-month third-party charges included horoscope, ringtones and celebrity gossip, the agencies said.

AT&T said in a statement that it has in the past allowed its mobile customers to purchases services like ringtones from third paries using PSMS (Premium Short Messaging Services). “We would put those charges on their bills,” a spokesman said. “While we had rigorous protections in place to guard consumers against unauthorized billing from these companies, last year we discontinued third-party billing for PSMS services.”

The settlement resolves complaints that some of AT&T’s mobile customers were billed for charges they did not authorize, the spokesman said by email. “This settlement gives our customers who believe they were wrongfully billed for PSMS services the ability to get a refund.”

The settlement is the largest in FCC enforcement history and the first joint enforcement action brought by the FCC, FTC and state attorneys general.

AT&T has stopped premium text billing and as part of the settlement will put “rigorous” checks in place to police third-party billing, FCC Chairman Tom Wheeler said. Some third-party billing continues at U.S. carriers, the agencies said.

The two federal agencies brought similar complaints of third-party mobile bill “cramming” against T-Mobile earlier this year.

Via: itworld

The number of products having perfect scores is up in AV-TEST’s latest test for virus protection for Windows 7, and Microsoft is still at the bottom.

AV-TEST Institute’s August 2014 (Windows 7 SP1) test results

 Image: AV-TEST

Back in the day, a person could raise the hood, and get the car running again. That is no longer the case. Trying to decide whether an antivirus application is working or not is not all that different. There was a time when feeding an EICAR file to the antivirus program was enough of a test. In today’s complex digital world, using EICAR to decide the value of an antivirus application is not enough. Like today’s vehicles, antivirus software needs testing by experts.

Carrying the analogy further, one hopes to find a great mechanic who charges reasonable rates. Hoping to find an unbiased, independent test lab to decide which AV protection solution best fits the company’s needs is also important. AV-TEST Institute is one test lab gaining that kind of reputation and is affordable — providing detailed free test reports on most antivirus products now marketed.

AV-TEST Institute’s August 2014 (Windows 7 SP1) test results are now available. The company reports on 33 antivirus applications: 24 consumer-oriented antivirus programs and 9 corporate-endpoint protection packages. This article focuses on the corporate antivirus test results, the consumer antivirus test results are posted here.

Here’s more about AV-TEST and how the company works.

In-house testing software

To get accurate test results, the developers at AV-TEST use their own test software. Sunshine, one of the software tools, analyzes what happens to the test computer’s (loaded with the AV application being tested) file system, registry, internal processes, and memory. Sunshine also monitors network traffic to and from the test computer when malware is executed.

VTEST, another AV-TEST software tool, melds 40 different antivirus scanners into a cohesive unit, allowing test engineers to monitor malware activity as it executes. After which the engineers compute reaction times of the antivirus product being tested.

Test modules

With the tools in place, AV-TEST staff then look at three specific categories: Protection, Performance, and Usability. Maik Morgenstern, part of the CEO team and technical director, clarified the significance of each during an email conversation.

Protection: This category tests an antivirus application’s effectiveness against current online threats (zero-day and web/email malware). Each test computer visits 150 to 200 known malicious websites, and the protection software tool checks if the AV product can detect and block any attack. The test computer is also subjected to malicious files and watched to see if the AV software detects known threats embedded in the files.

The significance of visiting 150-200 websites for protection testing was unclear. How are the websites chosen? Morgenstern said, ” AV-TEST systems crawl the Web looking for potential malicious content every day, analyzing tens of thousands of websites. If a harmful website is discovered, it is added to the test regimen.”

Morgenstern also said that all computers loaded with an AV product being tested are subjected to the malicious URLs simultaneously to ensure each AV product faces the same parameters. After which the testers:

1. Check if the malicious URL is blocked.
   
2. If not blocked, the malicious content is allowed to download.
   
3. If the download is not blocked, the malicious content is allowed to execute.
   
4. If the malware is then detected, that fact is recorded; if not detected, the tester waits two more minutes to see if the AV product locates the malware.
   
5. After the online portion is completed, the computer’s system-state is checked to see if the malware was successful in altering any of the system files.
   

Performance: This testing measures the impact an antivirus package has on the speed of the computer. Five scenarios are covered: downloading files, visiting websites, installing applications, using applications, and copying files. The results are compared to a clean computer without AV software installed. The test is repeated multiple times to eliminate outliers, and allow AV-TEST engineers to calculate a stable average.

Usability: An AV program has to instill trust by not issuing false positives. Throughout testing an AV package, the test engineers track how many false detections are generated, and how they might affect users. The following test parameters are used:

● AV-loaded test computers visit 500 websites known to be benign; any false positives are noted.

● AV-loaded test computers scan thousands of files (also benign) looking for false detections.

● Forty popular and malware-free applications are installed on each computer with engineers noting whether the AV application considered the newly-installed program a threat.

That is how each antivirus program is tested. Now let’s see what results the team at AV-TEST obtained.

 Image: AV-TEST

The good news is obvious, and so is the bad news about Microsoft. For specific test results and more detailed explanations please refer to the online test results for each product. The next slide is a comparison of the current test results with two earlier reports, showing whether an application improved or not. The test scores (0.0 to 6.0) in each of the categories are arranged in the following order: Protection, Performance, Usability.

 Image: AV-TEST

Morgenstern’s comment about the results is encouraging, “Overall, we are seeing a positive trend in the malware-detection results.” He said, “Only the Microsoft products are falling behind with 20 percent smaller detection rates than the average.”

Morgenstern also said, “Please note the percentages of the results are mathematically rounded. All test criteria were developed in close cooperation with the developers and users of these tools. Vendors could cross-check the results.”

Via: techrepublic

The personal information of AT&T might have been compromised when an employee viewed account information without proper authorization, according to a letter the company sent to victims.

Offering a “sincere apology,” the telecom company wrote, in a letter signed by Finance Billing Operations Director Michael Chiaramonte, that the accounts were accessed by the employee in August 2014 and that they contained information could have included Social Security numbers and driver’s license numbers, as well as Customer Proprietary Network Information (CPNI). That information is “related to the telecommunication services” purchased from the company, the letter explained.

Victims can sign up for complementary credit monitoring services and they are being prompted to change their passcodes. The employee who viewed the information no longer works for AT&T.

Via: scmagazine

The hotel chain blocked outside hotspots while charging customers up to $1,000 per device to access its own Wi-Fi service.

Here’s some payback for everyone who has felt gouged by hotel charges for Wi-Fi service: Marriott International has to pay $600,000 following an investigation into whether it intentionally blocked personal Wi-Fi hotspots in order to force customers to use its own pricey service.

The U.S. Federal Communications Commission looked into allegations that employees of Marriott’s Gaylord Opryland Hotel and Convention Center in Nashville used signal-blocking features of a Wi-Fi monitoring system to prevent customers from connecting to the Internet through their personal Wi-Fi hotspots, the regulator said in its consent decree. The hotel charged customers and exhibitors $250 to $1,000 per device to access Marriott’s Wi-Fi network.

The hotel’s Wi-Fi blocking violated the U.S. Communications Act, the FCC said.

“Consumers who purchase cellular data plans should be able to use them without fear that their personal Internet connection will be blocked by their hotel or conference center,” FCC Enforcement Bureau chief Travis LeBlanc said in a statement. “It is unacceptable for any hotel to intentionally disable personal hotspots while also charging consumers and small businesses high fees to use the hotel’s own Wi-Fi network. This practice puts consumers in the untenable position of either paying twice for the same service or forgoing Internet access altogether.”

Marriott said it believes its actions were legal.

“Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft,” the company said in a statement. “Like many other institutions and companies in a wide variety of industries, including hospitals and universities, the Gaylord Opryland protected its Wi-Fi network by using FCC-authorized equipment provided by well-known, reputable manufacturers.”

The company will push for the FCC to create rules that “eliminate the ongoing confusion” from the settlement, Marriott said.

The FCC received a complaint in March 2013 from a person who attended an event at the Gaylord Opryland. The hotel was “jamming mobile hotspots so that you can’t use them in the convention space,” the complaint alleged.

The FCC Enforcement Bureau, during an investigation, found that employees of Marriott used a Wi-Fi monitoring system to target guest-created Wi-Fi hotspots, in some cases disconnecting customers’ devices from their own hotspot access points.

Marriott, under the terms of the consent decree, must stop using Wi-Fi blocking technology and change how it monitors and uses Wi-Fi at the hotel. Marriott must also create a compliance plan and file compliance reports with the FCC every three months for three years, including descriptions of any access-point containment technologies the company uses at any of its U.S. properties, the agency said.

Via: computerworld

Hewlett-Packard has confirmed reports that it plans to break itself into two companies.

One of the companies, comprising HP’s enterprise hardware, software and services businesses, will be known as Hewlett-Packard Enterprise, the company announced Monday. The other, made up of its PC and printing businesses, will be called simply HP Inc., and will keep the HP logo.

Both of the new companies will be publically traded, and HP shareholders will be given shares in both firms. HP expects to complete the break-up by the end of its 2015 fiscal year, which ends on Oct. 31 next year.

President and CEO Meg Whitman, who’s been fighting to get HP back on track after years of missteps under previous management, will retain those roles at Hewlett-Packard Enterprise. Dion Weisler, who heads HP’s Printing and Personal Systems business, will be president and CEO of HP Inc., while Whitman will be its chairman, HP said

For customers of HP’s PC and printer business, the split simply changes the kind of uncertainty they face, said Ranjit Atwal, a research director at Gartner.

“Creating a separate company introduces uncertainty about its future — but there was already uncertainty about what HP wanted to do with the PC and printing business,” he said.

One thing to watch will be whether this frees the two halves of HP to create enterprise solutions with other vendors, he said — either allowing Hewlett-Packard Enterprise to offer other vendors’ PCs and printers, or encouraging other integrators to choose HP.

In a statement, Whitman painted the move as positive for the company, even though she originally vowed to keep HP whole when she took on the top job.

“The decision to separate into two market-leading companies underscores our commitment to the turnaround plan,” she said.

“It will provide each new company with the independence, focus, financial resources, and flexibility they need to adapt quickly to market and customer dynamics, while generating long-term value for shareholders,” Whitman said.

\In the short term, HP said the financial outlook was bleaker. On Monday it revised downward its full-year forecast for net earnings per share (EPS) according to generally accepted accounting principles. It now expects to report net EPS in the range of US$2.60 to $2.64, down from the $2.75 to $2.79 it forecast in late August.

More heads will roll as part of the HP’s restructuring plan, which has already seen 36,000 employees leave. The company now expects to lay off a total of 55,000 staff under the plan, it said Monday, up from its late August estimate of 45,000 to 50,000. The increase is unrelated to the separation announcement.

The PC industry has seen upheaval over the last few years, with IBM selling its PC business, and later its server division, to Lenovo, while Dell sold itself to private investors. Atwal speculated that HP had found no one to buy its PC business, however, prompting it to pursue a tax-free stock split instead.

The question of whether the stock split will be taxed is one of the few obstacles HP sees to the deal. Among the principal closing conditions it cited were approval from the board of directors, and the receipt of favorable rulings with respect to the tax-free nature of the transaction. HP plans to give its stockholders one share in each of the new companies for each share they hold in the old one.

Via: networkworld

Well, that didn’t last long.

18 months after opening its doors to the public, Redbox Instant (the online streaming arm of those Redbox kiosks you see in grocery stores around the country) is shutting down. The service will officially hit the lights and kill the servers on October 7th.

News of the shutdown comes by way of a notice posted on the service’s front page:

Thank you for being a part of Redbox Instant by Verizon. Please be aware that the service will be shut down on Tuesday, October 7, 2014, at 11:59 p.m. Pacific Time.

Information on applicable refunds will be emailed to current customers and posted here on October 10.

In the meantime, you may continue to stream movies and use your Redbox kiosk credits until Tuesday, October 7 at 11:59 p.m. Pacific Time.

We apologize for any inconvenience and we thank you for the opportunity to entertain you.

The idea behind Redbox Instant wasn’t a terrible one: for $6 a month, you got access to their online streaming catalog and four DVDs a month from their physical kiosks. In theory, this allowed customers to access newer movies than streaming alone would allow.

Alas, it really just never caught on. While Netflix’s catalog may have some gaps, Redbox’s paled in comparison. As GigaOm points out, the company’s execs publicly admitted to being disappointed by the subscription numbers back in August.

Add in the fact that Redbox has been unable to sign up new customers for months due to suspicions that credit card thieves were using the sign-up system to test stolen cards, and the whole thing sort of just fell apart.

I used the service for about a week during a free trial, but found myself back on Netflix before the week was out. Will anyone out there miss this one?

Via: techcrunch